SYMBOLCOMMON_NAMEaka. SYNONYMS
win.trochilus_rat (Back to overview)

Trochilus RAT

Actor(s): APT31, GALLIUM, Stone Panda

Trochilus is a C++ written RAT, which is available on GitHub.
GitHub Repo:
- https://github.com/m0n0ph1/malware-1/tree/master/Trochilus
- https://github.com/5loyd/trochilus

References
2022-09-15SymantecThreat Hunter Team
@online{team:20220915:webworm:500c850, author = {Threat Hunter Team}, title = {{Webworm: Espionage Attackers Testing and Using Older Modified RATs}}, date = {2022-09-15}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats}, language = {English}, urldate = {2022-09-20} } Webworm: Espionage Attackers Testing and Using Older Modified RATs
9002 RAT Ghost RAT Trochilus RAT
2022-09-13SymantecThreat Hunter Team
@online{team:20220913:new:2ff2e98, author = {Threat Hunter Team}, title = {{New Wave of Espionage Activity Targets Asian Governments}}, date = {2022-09-13}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments}, language = {English}, urldate = {2022-09-20} } New Wave of Espionage Activity Targets Asian Governments
MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT
2022-04-27TrendmicroDaniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20220427:operation:bdba881, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Operation Gambling Puppet}}, date = {2022-04-27}, institution = {Trendmicro}, url = {https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf}, language = {English}, urldate = {2022-07-25} } Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka
2021-01-15SwisscomMarkus Neis
@techreport{neis:20210115:cracking:b1c1684, author = {Markus Neis}, title = {{Cracking a Soft Cell is Harder Than You Think}}, date = {2021-01-15}, institution = {Swisscom}, url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf}, language = {English}, urldate = {2021-01-18} } Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT
2020-06-24Counter Threat Unit ResearchTeam
@online{researchteam:20200624:bronze:62b58ff, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE VINEWOOD Targets Supply Chains}}, date = {2020-06-24}, url = {https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains}, language = {English}, urldate = {2020-06-26} } BRONZE VINEWOOD Targets Supply Chains
MimiKatz Trochilus RAT APT31
2020-06-03Trend MicroDaniel Lunghi
@techreport{lunghi:20200603:how:4f28e63, author = {Daniel Lunghi}, title = {{How to perform long term monitoring of careless threat actors}}, date = {2020-06-03}, institution = {Trend Micro}, url = {https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf}, language = {English}, urldate = {2020-06-05} } How to perform long term monitoring of careless threat actors
BBSRAT HyperBro Trochilus RAT
2020-02-18Trend MicroDaniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}}, date = {2020-02-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia}, language = {English}, urldate = {2020-02-20} } Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:66a45ac, author = {SecureWorks}, title = {{BRONZE VINEWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-vinewood}, language = {English}, urldate = {2020-05-23} } BRONZE VINEWOOD
MimiKatz Trochilus RAT APT31
2019-02-06Recorded FutureInsikt Group, Rapid7
@techreport{group:20190206:apt10:74d18e7, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2019-12-17} } APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign
Trochilus RAT APT31 HURRICANE PANDA
2017-11-03Github (5loyd)5loyd
@online{5loyd:20171103:trochilus:964b44c, author = {5loyd}, title = {{Trochilus}}, date = {2017-11-03}, organization = {Github (5loyd)}, url = {https://github.com/5loyd/trochilus/}, language = {English}, urldate = {2020-01-08} } Trochilus
Trochilus RAT
2017-04-03JPCERT/CCShusei Tomonaga
@online{tomonaga:20170403:redleaves:211a123, author = {Shusei Tomonaga}, title = {{RedLeaves - Malware Based on Open Source RAT}}, date = {2017-04-03}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html}, language = {English}, urldate = {2022-06-22} } RedLeaves - Malware Based on Open Source RAT
PlugX RedLeaves Trochilus RAT
2017-04PricewaterhouseCoopersPricewaterhouseCoopers
@techreport{pricewaterhousecoopers:201704:operation:cb50712, author = {PricewaterhouseCoopers}, title = {{Operation Cloud Hopper: Technical Annex}}, date = {2017-04}, institution = {PricewaterhouseCoopers}, url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf}, language = {English}, urldate = {2019-10-15} } Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT
2015-08Arbor NetworksASERT Team
@online{team:201508:uncovering:121e5cf, author = {ASERT Team}, title = {{Uncovering the Seven Pointed Dagger}}, date = {2015-08}, organization = {Arbor Networks}, url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn}, language = {English}, urldate = {2020-05-18} } Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT APT9
Yara Rules
[TLP:WHITE] win_trochilus_rat_auto (20221125 | Detects win.trochilus_rat.)
rule win_trochilus_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.trochilus_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8be5 5d c20c00 8b4d08 89480c 8b4d0c }
            // n = 6, score = 100
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20c00               | ret                 0xc
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   89480c               | mov                 dword ptr [eax + 0xc], ecx
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_1 = { 033485c02b0110 8b45f8 8b00 8906 8b45fc 8a00 884604 }
            // n = 7, score = 100
            //   033485c02b0110       | add                 esi, dword ptr [eax*4 + 0x10012bc0]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8906                 | mov                 dword ptr [esi], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8a00                 | mov                 al, byte ptr [eax]
            //   884604               | mov                 byte ptr [esi + 4], al

        $sequence_2 = { e8???????? 33db 53 57 ffb634010100 ffb630010100 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   33db                 | xor                 ebx, ebx
            //   53                   | push                ebx
            //   57                   | push                edi
            //   ffb634010100         | push                dword ptr [esi + 0x10134]
            //   ffb630010100         | push                dword ptr [esi + 0x10130]
            //   e8????????           |                     

        $sequence_3 = { 395c3004 75c8 ff4f24 8b0430 3bc3 7408 8b10 }
            // n = 7, score = 100
            //   395c3004             | cmp                 dword ptr [eax + esi + 4], ebx
            //   75c8                 | jne                 0xffffffca
            //   ff4f24               | dec                 dword ptr [edi + 0x24]
            //   8b0430               | mov                 eax, dword ptr [eax + esi]
            //   3bc3                 | cmp                 eax, ebx
            //   7408                 | je                  0xa
            //   8b10                 | mov                 edx, dword ptr [eax]

        $sequence_4 = { 8917 894f04 8910 8b5508 85d2 7413 8b4dec }
            // n = 7, score = 100
            //   8917                 | mov                 dword ptr [edi], edx
            //   894f04               | mov                 dword ptr [edi + 4], ecx
            //   8910                 | mov                 dword ptr [eax], edx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   85d2                 | test                edx, edx
            //   7413                 | je                  0x15
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]

        $sequence_5 = { 5b c3 85c0 7503 8d4204 894104 }
            // n = 6, score = 100
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   85c0                 | test                eax, eax
            //   7503                 | jne                 5
            //   8d4204               | lea                 eax, [edx + 4]
            //   894104               | mov                 dword ptr [ecx + 4], eax

        $sequence_6 = { 8365d800 c745dc97af0010 a1???????? 8d4dd8 33c1 8945e0 8b4518 }
            // n = 7, score = 100
            //   8365d800             | and                 dword ptr [ebp - 0x28], 0
            //   c745dc97af0010       | mov                 dword ptr [ebp - 0x24], 0x1000af97
            //   a1????????           |                     
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   33c1                 | xor                 eax, ecx
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]

        $sequence_7 = { 83c40c 3b4108 7d1d 81beb080000000200000 0f8c09ffffff eb0b 57 }
            // n = 7, score = 100
            //   83c40c               | add                 esp, 0xc
            //   3b4108               | cmp                 eax, dword ptr [ecx + 8]
            //   7d1d                 | jge                 0x1f
            //   81beb080000000200000     | cmp    dword ptr [esi + 0x80b0], 0x2000
            //   0f8c09ffffff         | jl                  0xffffff0f
            //   eb0b                 | jmp                 0xd
            //   57                   | push                edi

        $sequence_8 = { e8???????? 8bf8 85ff 0f84f0000000 0fb7865c010100 6640 8bd7 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   0f84f0000000         | je                  0xf6
            //   0fb7865c010100       | movzx               eax, word ptr [esi + 0x1015c]
            //   6640                 | inc                 ax
            //   8bd7                 | mov                 edx, edi

        $sequence_9 = { bf06020000 57 668985ecfbffff 8d85eefbffff 53 50 c785e0fbffff03000000 }
            // n = 7, score = 100
            //   bf06020000           | mov                 edi, 0x206
            //   57                   | push                edi
            //   668985ecfbffff       | mov                 word ptr [ebp - 0x414], ax
            //   8d85eefbffff         | lea                 eax, [ebp - 0x412]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   c785e0fbffff03000000     | mov    dword ptr [ebp - 0x420], 3

    condition:
        7 of them and filesize < 630784
}
Download all Yara Rules